Navigating data privacy legislation in a global society

China, the most populous nation in the world, passed its first significant data privacy legislation in August. Moving forward, any global business or aspiring startup doing any type of trade or offering services online likely will be affected because they’ll be engaging with Chinese residents covered by the Personal Information Protection Law (PIPL).

Although this seems like pretty significant news, the legislation itself is similar to the EU’s General Data Protection Regulation (GDPR), which was introduced in 2016. What is shocking, however, is that companies had two years to prepare for GDPR, while PIPL goes into effect on November 1, 2021.

This leaves companies scrambling to figure out compliance. In addition, it highlights the importance and urgency of data privacy on a global scale. China marks the 17th country to establish a GDPR-like privacy law. Which global superpower is not on this list?

The United States has yet to adopt a broad-reaching, consumer-focused national data privacy law — despite multiple studies indicating that Americans want more control over their personal data online. This oversight has significant implications for the technology industry in particular.

With so much going on, it’s clear that we’ve reached a critical juncture in the maturation of data privacy. How we proceed will affect potentially billions of consumers worldwide as well as the development of companies ranging from the smallest startups to the biggest global enterprises. This moment demands careful consideration.

As such, let’s attempt to break down the present data privacy conundrum, starting first by examining how data privacy legislation is evolving in the U.S. and what this means on a broader scale, before diving into how data minimization attempts address these issues. After weighing these integral pieces of the data privacy puzzle, I will conclude by issuing a call for global data privacy standards that place people firmly in control of their data.

Data privacy in the U.S.

The data privacy landscape in the U.S. is complicated. In short, on the federal level, there has been movement but no overarching data privacy policy in place. There are industry-specific privacy regulations — The Health Insurance Portability and Accountability Act (HIPAA) governing healthcare and Gramm-Leach-Bliley Act (GLBA) covering consumer financial products.

There is also the Children’s Online Privacy Protection Rule (COPPA), designed to protect children under 13. The FTC jumps into the mix as well because it can go after an app or website that violates its own privacy policy (the Federal Trade Commission Act).

But our federal government hasn’t passed a sweeping bill that protects consumers’ digital privacy rights, leaving it up to individual states to do it themselves (e.g., California’s CCPA, Virginia’s VCDPA and Colorado’s ColoPA). This has left plenty of Americans without privacy rights and businesses confused about what they need to do.

Some folks argue that this is how it should be, warning that a gridlocked Congress could never pass meaningful consumer privacy legislation. Even if they do, it will be too watered down to matter, which would then negatively affect carefully constructed state laws.

At the same time, there is the potential of having 50 individual state data privacy laws -- all similar, but likely each different in its own way, creating the nightmare scenario for businesses trying to do the right thing. Now magnify this globally.

Data minimization is not the only answer

One approach being bandied about to help address data privacy involves the principle of data minimization, which allows companies to collect and retain personal information only for a specific purpose.

Basically, it’s a call for companies to simply collect less data. Think marketing teams reducing their intake or establishing retention schedules to purge existing data.

This is great for some, but for others, it can be unrealistic. Even the most consumer-friendly companies are unlikely to encourage marketers to go out and collect less personal information about potential customers, and they could nearly always find a justification for grabbing data.

But, the practice, even in its purest state, could be detrimental to startups that rely on personal information and preferences to develop products and grow their businesses. Data minimization in this sense could have the unintended consequence of stifling innovation.

And frankly, it may not even be necessary if consumers have a say in how their data is acquired and used. In some cases, consumers are OK with sharing personal information because they prefer a more personalized, bespoke experience. For example, brands like Stitch Fix or Sephora ask for a lot of personal preferences upfront to provide a better shopping experience -- and for many, that’s OK.

A call for global data privacy standards

It is my view that all of these complexities, fine lines and moving parts are surfacing and posing problems for companies and consumers because there is no global standard to get people on the same page. Until one exists, everything else is just a Band-Aid.

The time has come for us to develop a set of basic principles on which countries can agree so that consumers worldwide are protected and businesses know what is required of them in any geography.

Otherwise, it won’t be long until we’re looking at a gaggle of international data privacy laws, some more stringent than others and all just a little bit different, making it next to impossible for companies to ensure 100% compliance. It’s time to rein things in.

Data privacy standards would establish a baseline of fairness that spans geographic borders and works for companies at any stage. This would make it exponentially easier for companies to engage in business internationally.

Expect the existing spheres of influence to drive this change. Because there are massive, negative and costly implications on the line for any company that even hopes to go global, entities will work together to create common solutions. The momentum is there. Considering the footprint of China alone, it won’t be long until other countries follow suit.

Despite the shortfalls on data privacy here at home, even U.S.-based trade organizations are pushing forward with the first steps toward global standards. Consumer Reports, for example, has put together a working group to develop potential solutions. This could help fast-track global data privacy interests to protect both companies and consumers.

The heart of data privacy standards

Data privacy standards are now necessary, and the main thing to remember as they develop is that we must give people control over how companies handle their information.

Consumers deserve to know who has access to their information and why, particularly as services and applications become more connected to facilitate transactions. They should also have the right for personal data to be deleted upon request as well as to prevent companies from selling their information without permission. These are basic, universal rights; these are the things governing and supporting bodies should agree on.

Although marketers may grouse, it shouldn’t just be assumed that all consumers object to sharing their information. In fact, many appreciate the customization of experiences or ease of transactions that are made possible by allowing companies to collect and retain their personal information, as noted in the examples above.

Consumer choice ultimately creates a healthier ecosystem overall and opens up new ways for companies to build trust and transparency. It will also prevent companies from perpetually scrambling to develop and manage a slew of different mandates.

I foresee a future where startups are founded as privacy first. This is even likely to become a true differentiator. But the biggest element of change will be to give consumers unquestionable control of their data, no matter where they are, or the systems that contain their personal information. Data privacy standards will protect these rights in ways that other approaches can’t reasonably replicate or deploy at scale; they will eliminate confusion so that businesses can operate efficiently.

Once we are all on the same page through data privacy standardization, true progress can be made.